Splunk Search

Multi source with one index

nithys
Path Finder

Hi All,

I need some help in searching, I have 1 index but it has multiple sources,

Index = Index1

Source = source 1
Source = source 2
Source = source 3

Source = source 4

Source = source 5

Source = source 6

Source = source 7

Now i have a requirement to create an alert search with only first 4 source and exclude the remaining three source 5,6,7

I tried using below query

Index = Index1 source IN ("source 1","source 2","source 3","source 4")

when i tried to exclude 4,5,6 source,getting error.Can you help on this?


Index = Index1
source IN ("source 1","source 2","source 3","source 4")
source  NOT IN ("source 4","source 5","source 3","source 6")
or
Index = Index1 source ! IN ("source 4","source 5","source 6")
source IN ("source 1","source 2","source 3","source 4")
source ! IN ("source 4","source 5","source 3","source 6")

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @nithys ,

you have to put the NOT operatore befor the field, not before IN:

index = Index1
source IN ("source 1","source 2","source 3","source 4")
NOT source IN ("source 4","source 5","source 3","source 6")

Anyway, only for my curiosity: the field source should be unique, so the first (inclusive) condition should be sufficient and the second (exclusive) condition shouldn't be mandatory.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @nithys ,

you have to put the NOT operatore befor the field, not before IN:

index = Index1
source IN ("source 1","source 2","source 3","source 4")
NOT source IN ("source 4","source 5","source 3","source 6")

Anyway, only for my curiosity: the field source should be unique, so the first (inclusive) condition should be sufficient and the second (exclusive) condition shouldn't be mandatory.

Ciao.

Giuseppe

nithys
Path Finder

Thanks @gcusello 

The inclusive condition also worked...

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...